In November 2018, Congress passed a bill that created the Cybersecurity and Infrastructure Security Agency (CISA). CISA, part of the Department of Homeland Security, offered a federal response to the growing threat of cyber attacks—a threat thrust into the spotlight after the Office of Personnel Management’s (OPM) massive 2015 breach, which left the personal data of 22 million federal employees compromised.
A key component of improved federal cybersecurity is visibility, which is being addressed through CISA’s Continuous Diagnostics and Mitigation (CDM) Program. Last year, Congress upped CDM funding by $53.5 million, setting aside a total of $213.5 million for the program.
The program’s objectives include reducing agencies’ threat surface, increasing visibility into their cyber postures, improving their response capabilities, and streamlining reporting. As these funds are actually funneled into technology investments, agencies need to recognize the fact that no single vendor is able to solve the entire CDM puzzle.
With that in mind, let’s zoom into a few technologies that can help make visibility a reality and consider how they relate to one another.
To start with something seemingly obvious, federal agencies need to have visibility into the traffic that’s coming and going on their networks to make sure it’s not malicious. While many security devices can look at traffic and detect threats, they can’t do so if the traffic is encrypted, as 90% of Internet data is.
This represents a bit of a catch-22. While encryption can protect data privacy, it can also disguise malware. This conundrum can be addressed through SSL visibility products, which decrypt and re-encrypt traffic before it’s driven to security tools based on context like IP reputation, port/protocol, and URL categorization.
SSL visibility tools allow security devices to do what they do best—actually analyze the traffic—as opposed to wasting precious resources on the intensive decryption/re-encryption process. Full visibility into cyber threats cannot be achieved without this crucial step.
If agencies cannot open up traffic that’s coming and going on their network, they cannot log it correctly—and logging and reporting are key components of CDM requirements. Only by properly decrypting traffic can agencies then send it to a central location to be logged, monitored, reported, and further analyzed.
For instance, with proper decryption and logging, agencies can then use behavioral analytics, artificial intelligence, and machine learning to do a behavioral analysis of the traffic. Currently, 88 percent of federal civilian agencies are using a tool called Einstein to do just that.
But once again, these puzzle pieces all must fit together. Advanced analytics cannot happen without the aforementioned decryption.
SSL visibility cracks open encrypted streams to allow security devices to help log and protect those assets. But there are many ways to approach protection. To start, agencies need to protect themselves from OWASP top ten threats and emerging zero-day attacks. Another mitigation strategy is to log and monitor traffic so that it may be analyzed, further highlighting the interconnectedness of these different components of cybersecurity.
Similarly, many multi-service application protection platforms can and must also protect against malicious bot traffic. Every industry faces automated attacks like account takeover, vulnerability recon, or denial of service, and the federal government is no exception.
CISA’s CDM program offers a complex but important puzzle that agencies cannot solve through a single vendor. Asset protection itself requires multiple solutions, as agencies are defending against a growing list of attacks. But that protection cannot happen without checking other boxes, such as decrypting and logging traffic.
At the end of the day, agencies cannot protect what they cannot see. While that’s the driving force behind the CDM program, agencies must ensure they have the right tools in place to ensure visibility. Cracking open encrypted traffic, sending it to a central log, running behavioral analytics, and setting up proper asset protection represents a good starting point.
By Ryan Johnson, Federal Solution Engineering Leader, F5